I am trying to setup a Samba Server and a Windows share with Full ACL support. From what I have read and from my own experimentation I need to use vfs_acl_xattr to do this.

At the moment I am not having too much success trying this on Samba 3.6 so I am wondering about trying Samba 4. Only thing is I keep reading that Samba 4 is experimental and should not be used on a production Server yet.

Has anyone got an opinion about whether I would be better off using Samba 4 or not.

Thanks,
Nick

Ser Olmy

01-24-2013 08:20 PM

You should be able to get full ACL support with either version of Samba by simply adding the acl and user_xattr mount options to the underlying file system. The VFS module is not required.

As for stability, Sambe 4.0 is pretty good, but if you don't actually need AD DC functionality there's nothing wrong with sticking with 3.6 for now.

Nick_C

01-25-2013 05:26 AM

Well need to connect to a Windows AD DC but wasn't thinking of using Samba as the DC.

Not sure that the above configuration is enough, using that I don't seem to get full ACL support.
Deleting all permissions from windows in preparation for adding our owm ACL entries doesn't work and a whole load of default entries appear back again:

System - Full - This folder, subfolders and files
Authenticated Users - Read & Execute - This folder, subfolders and files
Domain Admins - Full - This folder, subfolders and files
Everyone - None - This folder, subfolders and files
Administrator - Full - This folder only
Domain Users - None - This folder only
Creator Owner - Full - Subfolders and files only
Creator Group - None - Subfolders and files only
Domain Users - Full - Subfolders and files only

Problem is there are a bunch of fixed default ACL entries which cannot be removed:

System - Full - This folder, subfolders and files
Authenticated Users - Read & Execute - This folder, subfolders and files
Domain Admins - Full - This folder, subfolders and files
Everyone - None - This folder, subfolders and files
Administrator - Full - This folder only
Domain Users - None - This folder only
Creator Owner - Full - Subfolders and files only
Creator Group - None - Subfolders and files only
Domain Users - Full - Subfolders and files only

Anyone know how I can get rid of these?

Thanks,
Nick

scheidel21

01-27-2013 06:08 PM

Those defaults exist in Windows domains by default, I highly doubt you can or should get rid of them.

Nick_C

01-29-2013 05:24 AM

Well if Samba is to provide a completely seamless share to windows users such that they do not even know they are using Linux/Samba then these should be able to be deleted as they can be in windows.

From what I have read there should be some way of getting Samba to completely emulate a windows share, I just haven't found the correct settings yet.

scheidel21

01-29-2013 07:00 AM

You might be able to delete these in Windows (though I may be wrong on that) but there would be no reason you would ever delete these on windows. Why do you want to delete them off of Samba? It could cause issues working with Widows machines, especially in a domain environment.

Nick_C

01-29-2013 07:13 AM

Well we want to be able to set our own permissions which I then hope to see inherited by everything on that share.

OK I see what you want now, I was mistaken in my understanding of what you were seeking. You should be able to do what you are trying to do. For testing could you try disabling inherit acls on the share and then delete and see if they reappear.

Nick_C

01-29-2013 11:31 AM

Slightly different results but still get the following ACEs added back again:

Everyone - None - This folder, subfolders and files
root - Full - This folder only
Enterprise Admins - None - This folder only
Creator Owner - Full - Subfolders and files only
Creator Group - None - Subfolders and files only

scheidel21

02-05-2013 07:37 PM

This is an odd one, I'm out of suggestions at the moment, sorry.

Nick_C

02-06-2013 07:16 AM

What I was hopeing for was to find someome else who is using Samba with these ACL options to find out if they get the same behaviour. However from lack of other replies I guess no one else is actually using this. Thanks for your help.

scheidel21

02-06-2013 08:02 AM

A thought, perhaps user and group mapping from the Linux file system to samba mappings of Windows users and groups is causing these to reappear.

Nick_C

02-10-2013 11:06 AM

Yep that sounds like a distinct possibility. Is there a way to turn off all user & group mapping from smb.conf? I have had a look through the docs and nothing obvious on how to do that.